The bureaucracy tasked with ObamaCare implementation may be violating a law that requires government agencies to keep private information safe.
Under the the Federal Information Security Management Act (FISMA), the Department of Health and Human Services’ Center for Medicare and Medicaid Services (CMS) is required to have an “Authority to Operate,” or ATO. In order to receive an ATO, new information tech systems must perform a set of tests, including “Security Control Assessments” (SCA).
But according to CMS’s 2014 budget request, no such security assessment took place. The Federal Healthcare Marketplace website was rolled out without full end-to-end testing.